An ICO investigation found that a series of avoidable data security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.

The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.

The ICO investigation found that credential stuffing, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.

However, the customers and drivers affected were not told about the incident for more than a year, when it emerged that Uber had paid the cyber attackers $100,000 through its bug bounty programme to delete the stolen data and keep quiet about the breach.

ICO director of investigations, Steve Eckersley, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The ICO said the incident, which is a serious breach of principle seven of the Data Protection Act 1998, had the potential to expose the customers and drivers affected to increased risk of fraud.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack,” said Eckersley.

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The data protection authority for the Netherlands, the Autoriteit Persoonsgegevens, has also issued a fine to Uber under its own pre-GDPR legislation of nearly £533,000. The Dutch regulator was the lead member of an international task force which included the ICO and which co-operated in investigating the effects of the incident in their respective jurisdictions.

The General Data Protection Regulation (GDPR) has applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security.

Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17m or 4% of global turnover.

The timing of the Uber breach ahead of the GDPR enforcement date means that the civil monetary penalty has been issued under the previous legislation, the Data Protection Act 1998.

Kramer is suing Facebook in the San Mateo Superior Court in California over rights to access pictures of people wearing bikinis. Kramer had obtained the Facebook documents under “discovery”, a legal procedure that allows litigants sight of each other’s case papers.

The documents were sealed by a San Mateo, California Superior Court judge after months of legal wrangling between Facebook, Kramer’s company Six4Three, and media organisations. But the California court has no jurisdiction in the UK and the DCMS committee chair Damian Collins believes the documents contain insights relevant to the committee’s investigation into disinformation and fake news.

Richard Allan, Facebook’s vice-president for public policy is expected to appear in London later today before legislators from seven countries investigating the social media firm for its role in election meddling and spreading disinformation.

The UK, Canada, Brazil, Latvia, Argentina, Ireland, Singapore, France and Belgium have repeatedly called on Facebook CEO Mark Zuckerberg to give testimony, but the firm announced last week it will be represented by Allan.

Infographic: 6 emerging trends in security

Download this infographic to discover 6 emerging trends in security that cybersecurity pros - and their employers - need to prep for in the next year. These ideas are taken from a keynote by analyst Peter Firstbrook at Gartner Symposium 2018.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.